Personal data and digital security: practical approaches to reforming Kazakhstan’s legislation in light of the GDPR

This article examines the current state and development prospects of Kazakhstan’s personal data protection system through a comprehensive comparative legal analysis with the European Union’s General Data Protection Regulation (GDPR). The study identifies key deficiencies in Kazakhstan’s legal and institutional framework, particularly the limited scope of enforcement mechanisms and the inadequacy of administrative penalties in deterring violations. Emphasis is placed on the extraterritorial reach, strict compliance requirements, and high sanctions under the GDPR, which collectively contribute to its global influence. Drawing from case studies, expert policy reports, and regulatory practices, the article underscores the importance of strengthening legal accountability, enhancing state oversight functions, and establishing proactive enforcement capabilities. Special attention is given to the role of digital sovereignty and the integration of internationally recognized standards into Kazakhstan’s legislative environment. The analysis also highlights domestic corporate practices that are beginning to align with GDPR principles, using Air Astana as a pioneering example. The article concludes by offering concrete policy recommendations, including the   introduction of mandatory breach notification procedures and legislative reform to empower supervisory authorities. These measures are essential for creating a more transparent, secure, and rights-based approach to personal data governance in Kazakhstan. 

1. Zakon Respubliki Kazahstan ot 21 maja 2013 g. № 94-V «O personal’nyh dannyh i ih zashhite». URL: https://adilet.zan.kz/rus/docs/Z1300000094 (data obrashhenija: 01.04.2025). (In Russian).

2. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) // Official Journal of the European Union. 2016. No.119. P. 1–88. (In English)

3. Prikaz i.o. Ministra cifrovogo razvitija, innovacij i ajerokosmicheskoj promyshlennosti Respubliki Kazahstan ot 22 ijulja 2021 g. No. 169/NҚ «Ob utverzhdenii Polozhenija o respublikanskom gosudarstvennom uchrezhdenii «Komitet po informacionnoj bezopasnosti Ministerstva cifrovogo razvitija, innovacij i ajerokosmicheskoj promyshlennosti Respubliki Kazahstan». URL: https://online.zakon.kz/Document/?doc_id=33938407 (data obrashhenija: 01.04.2025). (In Russian).

4. Kodeks Respubliki Kazahstan ot 29 oktjabrja 2015 goda No. 375-V «Predprinimatel’skij kodeks Respubliki Kazahstan». URL: https://online.zakon.kz/Document/?doc_id=38259854 (data obrashhenija: 01.04.2025). (In Russian).

5. Dajyrbekov R., Kabyshev E. (2023) Sravnitel’no-pravovoj analiz nacional’nogo i zarubezhnogo zakonodatel’stva po operativnomu reagirovaniju pri utechke personal’nyh dannyh. Astana: Institut razvitija zashhity personal’nyh dannyh, Fond Evrazija. 42 p. (In Russian).

6. Kodeks Respubliki Kazahstan ob administrativnyh pravonarushenijah ot 5 ijulja 2014 g. No. 235-V. URL: https://adilet.zan.kz/rus/docs/K1400000235 (data obrashhenija: 01.04.2025). (In Russian).

7. Ugolovnyj kodeks Respubliki Kazahstan ot 3 ijulja 2014 goda No. 226-V. URL: https://online.zakon.kz/Document/?doc_id=31575252&pos=2351;-38#pos=2351;-38 (data obrashhenija: 01.04.2025). (In Russian).

8. Kabyshev E. (2023) Utechki personal’nyh dannyh: mirovoj i kazahstanskij aspekty // Landshaft cifrovyh prav i svobod. URL: https://drfl.kz/ru/utechki-personalnykh-dannykh/ (data obrashhenija: 01.04.2025)

9. Olamide B., James A. (2023) Comparative Analysis of CCPA, GDPR, and Other Data Protection Regulations. URL: https://www.researchgate.net/publication/389883174 (accessеd: 01.04.2025). (In English).

10. META oshtrafovana za narushenie norm GDPR na rekordnye 1,2 mlrd evro: pochemu jeto proizoshlo i chego zhdat’ kontroleram? 2023. URL: https://revera.legal/en/info-centr/news-and-analytical-materials/1333-meta-oshtrafovana-za-narushenie-norm-gdpr-pochemu-eto-proizoshlo-i-chego-zhdat-kontroleram/ (data obrashhenija: 01.04.2025). (In Russian).

11. Apple. Privacy Policy dated September 18, 2024. URL: https://www.apple.com/legal/privacy/pdfs/apple-privacy-policy-ru.pdf (access date: 01.04.2025). (In English).

12. Politika konfidencial’nosti AO «Jejr Astana». URL: https://airastana.com/kaz/ru-ru/Informatsiia/ Pravila-i-usloviia/Politika-konfidentsialnosti (data obrashhenija 01.04.2025). (In Russian).

13. Edwards L., Veale M. (2023) Navigating Privacy: A Global Comparative Analysis of the GDPR and Other Major Privacy Laws // Computer Law & Security Review. Vol. 50. DOI: 10.1016/j.clsr.2023.105832. (In English).

14. Coche E., Kolk A., Ocelík V. (2024.) Unravelling cross-country regulatory intricacies of data governance: the relevance of legal insights for digitalization and international business // Journal of International Business Policy. Vol. 7. P. 112–127. DOI: 10.1057/s42214-023-00172-1. (In English).